diff options
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/conch-old-privkey-format.patch | 2 | ||||
| -rw-r--r-- | debian/patches/revert-ipqos-defaults.patch | 2 | ||||
| -rw-r--r-- | debian/patches/seccomp-s390-flock-ipc.patch | 47 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | sandbox-seccomp-filter.c | 6 |
7 files changed, 12 insertions, 58 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 422e4036b..261adc808 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | 660f35293504f04d744d2d6ab6276a83fff305a3 | 2 | cfa01c635debb10e05f5ac34d269809c77c582dc |
| 3 | 660f35293504f04d744d2d6ab6276a83fff305a3 | 3 | cfa01c635debb10e05f5ac34d269809c77c582dc |
| 4 | 4213eec74e74de6310c27a40c3e9759a08a73996 | 4 | 4213eec74e74de6310c27a40c3e9759a08a73996 |
| 5 | 4213eec74e74de6310c27a40c3e9759a08a73996 | 5 | 4213eec74e74de6310c27a40c3e9759a08a73996 |
| 6 | openssh_8.1p1.orig.tar.gz | 6 | openssh_8.1p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 53ad2d699..4a3c8e3f4 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,11 @@ | |||
| 1 | openssh (1:8.1p1-2) UNRELEASED; urgency=medium | ||
| 2 | |||
| 3 | * Drop "Allow flock and ipc syscall for s390 architecture" patch for now; | ||
| 4 | upstream has security concerns with it and it doesn't currently seem to | ||
| 5 | be needed. | ||
| 6 | |||
| 7 | -- Colin Watson <cjwatson@debian.org> Tue, 22 Oct 2019 11:08:23 +0100 | ||
| 8 | |||
| 1 | openssh (1:8.1p1-1) unstable; urgency=medium | 9 | openssh (1:8.1p1-1) unstable; urgency=medium |
| 2 | 10 | ||
| 3 | * New upstream release (https://www.openssh.com/txt/release-8.1): | 11 | * New upstream release (https://www.openssh.com/txt/release-8.1): |
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch index 25c16526b..e018ac639 100644 --- a/debian/patches/conch-old-privkey-format.patch +++ b/debian/patches/conch-old-privkey-format.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001 | 1 | From bbce4380e516e8bfed1ae09af0bc3661e427794a Mon Sep 17 00:00:00 2001 |
| 2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
| 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 |
| 4 | Subject: Work around conch interoperability failure | 4 | Subject: Work around conch interoperability failure |
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index 844b736d7..7fdfe246c 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 660f35293504f04d744d2d6ab6276a83fff305a3 Mon Sep 17 00:00:00 2001 | 1 | From cfa01c635debb10e05f5ac34d269809c77c582dc Mon Sep 17 00:00:00 2001 |
| 2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
| 3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 | 3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 |
| 4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP | 4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP |
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch deleted file mode 100644 index aaefa9ed4..000000000 --- a/debian/patches/seccomp-s390-flock-ipc.patch +++ /dev/null | |||
| @@ -1,47 +0,0 @@ | |||
| 1 | From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
| 3 | Date: Tue, 9 May 2017 10:53:04 -0300 | ||
| 4 | Subject: Allow flock and ipc syscall for s390 architecture | ||
| 5 | |||
| 6 | In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock | ||
| 7 | and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 | ||
| 8 | implementation) which calls the libraries that will communicate with the | ||
| 9 | crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, | ||
| 10 | this is only need on s390 architecture. | ||
| 11 | |||
| 12 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
| 13 | |||
| 14 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
| 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
| 16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
| 17 | Last-Update: 2018-10-19 | ||
| 18 | |||
| 19 | Patch-Name: seccomp-s390-flock-ipc.patch | ||
| 20 | --- | ||
| 21 | sandbox-seccomp-filter.c | 6 ++++++ | ||
| 22 | 1 file changed, 6 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
| 25 | index b5cda70bb..2f6b0d55b 100644 | ||
| 26 | --- a/sandbox-seccomp-filter.c | ||
| 27 | +++ b/sandbox-seccomp-filter.c | ||
| 28 | @@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = { | ||
| 29 | #ifdef __NR_exit_group | ||
| 30 | SC_ALLOW(__NR_exit_group), | ||
| 31 | #endif | ||
| 32 | +#if defined(__NR_flock) && defined(__s390__) | ||
| 33 | + SC_ALLOW(__NR_flock), | ||
| 34 | +#endif | ||
| 35 | #ifdef __NR_futex | ||
| 36 | SC_ALLOW(__NR_futex), | ||
| 37 | #endif | ||
| 38 | @@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = { | ||
| 39 | #ifdef __NR_getuid32 | ||
| 40 | SC_ALLOW(__NR_getuid32), | ||
| 41 | #endif | ||
| 42 | +#if defined(__NR_ipc) && defined(__s390__) | ||
| 43 | + SC_ALLOW(__NR_ipc), | ||
| 44 | +#endif | ||
| 45 | #ifdef __NR_madvise | ||
| 46 | SC_ALLOW(__NR_madvise), | ||
| 47 | #endif | ||
diff --git a/debian/patches/series b/debian/patches/series index 74cdd2ce3..8c1046a74 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -21,6 +21,5 @@ gnome-ssh-askpass2-icon.patch | |||
| 21 | systemd-readiness.patch | 21 | systemd-readiness.patch |
| 22 | debian-config.patch | 22 | debian-config.patch |
| 23 | restore-authorized_keys2.patch | 23 | restore-authorized_keys2.patch |
| 24 | seccomp-s390-flock-ipc.patch | ||
| 25 | conch-old-privkey-format.patch | 24 | conch-old-privkey-format.patch |
| 26 | revert-ipqos-defaults.patch | 25 | revert-ipqos-defaults.patch |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2f6b0d55b..b5cda70bb 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -194,9 +194,6 @@ static const struct sock_filter preauth_insns[] = { | |||
| 194 | #ifdef __NR_exit_group | 194 | #ifdef __NR_exit_group |
| 195 | SC_ALLOW(__NR_exit_group), | 195 | SC_ALLOW(__NR_exit_group), |
| 196 | #endif | 196 | #endif |
| 197 | #if defined(__NR_flock) && defined(__s390__) | ||
| 198 | SC_ALLOW(__NR_flock), | ||
| 199 | #endif | ||
| 200 | #ifdef __NR_futex | 197 | #ifdef __NR_futex |
| 201 | SC_ALLOW(__NR_futex), | 198 | SC_ALLOW(__NR_futex), |
| 202 | #endif | 199 | #endif |
| @@ -224,9 +221,6 @@ static const struct sock_filter preauth_insns[] = { | |||
| 224 | #ifdef __NR_getuid32 | 221 | #ifdef __NR_getuid32 |
| 225 | SC_ALLOW(__NR_getuid32), | 222 | SC_ALLOW(__NR_getuid32), |
| 226 | #endif | 223 | #endif |
| 227 | #if defined(__NR_ipc) && defined(__s390__) | ||
| 228 | SC_ALLOW(__NR_ipc), | ||
| 229 | #endif | ||
| 230 | #ifdef __NR_madvise | 224 | #ifdef __NR_madvise |
| 231 | SC_ALLOW(__NR_madvise), | 225 | SC_ALLOW(__NR_madvise), |
| 232 | #endif | 226 | #endif |